JP5980301B2 - Data access control and encryption method for preventing data outflow and apparatus for executing the same - Google Patents

Description

  The present invention relates to a database protection technique, and more particularly to a data access control and encryption method for preventing a large amount of data stored in a database from being leaked due to a cyber attack, and an apparatus for executing the same.

  Recently, as the performance of user terminals such as smart phones, tablet PCs, PDAs (Personal Digital Assistants), computers and notebook computers has evolved, and mobile communication technology has developed, users are created with their own user terminals. You can now share your data with others.

  In particular, with the popularization and use of user terminals, a database (database) connected to a large number of user terminals through a network in order to efficiently manage a large amount of data generated by the large number of user terminals. ) Tend to be utilized.

  Since various kinds of data that must be maintained with security, such as personal information of each user, can be stored in the database, research for protecting the database is actively underway.

  Thus, data protection that blocks attacker access leading to security incidents such as data corruption or leakage by allowing access to data stored in the database only to users who have been granted access to the database. Technology was commonly used.

  That is, if a user requests inquiry, search, modification, deletion, etc. for specific data using the user terminal, the database is specified only for users who have access authority to the database after authenticating the user. Controlling access to data by authorizing access to data.

  However, since the conventional technology as described above can access the entire large amount of data stored in the database if access to the database is approved, the authentication required for the user terminal to access the database. If information is leaked to the outside or hacked by an attacker, a large amount of data stored in the database can be leaked, and thus there is a problem that it is vulnerable to data protection. As a result, serious security accidents may occur.

  In particular, recently, as cyber attack methods and the number of attacks targeting a database have increased and the damage has spread, there is a tendency to demand a protection technology that can prevent a large amount of data from being leaked.

  The present invention has been made to solve the above-described problems, and its object is to control access to a database for each application to which a user terminal is connected, thereby storing data stored in the database or the database. It is an object of the present invention to provide a data access control and encryption method capable of improving security against the above.

  Another object of the present invention is to provide a data access control and encryption device capable of minimizing the outflow of data due to a cyber attack by limiting the range of accessible data for each application connected to the user terminal. It is in.

  A data access control and encryption method according to an aspect of the present invention for achieving the above object is executed by a data access control and encryption device linked with a user terminal, and an access request to a database is made from an application connected to the user terminal. By receiving, the step of generating application authentication information based on the application access control policy, the step of performing access authentication to the application database using the application authentication information, and the access to the application database being approved. Setting a data access range including at least one of a size of data accessible by an application and an access duration based on an application access control policy. No.

  Here, the data access control and encryption method may further include obtaining an application access control policy in advance before generating the application authentication information.

  Here, the application access control policy may be set in advance for each application including at least one of identification information for the application and access information for the application database.

  Here, in the step of generating the application authentication information, the application authentication information can be encrypted by being combined with the encryption information generated based on the encryption key set in advance.

  Here, the step of performing access authentication to the database generates decryption information based on a preset encryption key used for encryption of the application authentication information, and includes the encryption information combined with the application authentication information and The decryption information can be compared to check whether they match.

  Here, in the step of performing access authentication to the database, when the encrypted information combined with the application authentication information matches the decryption information, the access to the application database is approved, and the encrypted information combined with the application authentication information. And the decryption information do not match, access to the application database can be denied.

  Here, the step of setting the data access range includes at least one of a size of data accessible by the application and an access duration based on the application access control policy when the application is authorized to access the database. Data access range can be dynamically assigned.

  Here, the data access range may be set based on the database accessible time preset for the user terminal according to the organization, social position, or business type to which the user belongs.

  In addition, the data access control and encryption apparatus according to an aspect of the present invention for achieving the other object is linked to the user terminal, and receives an access request for the database from an application connected to the user terminal. An authentication information generation unit that generates application authentication information based on an application access control policy acquired in advance, and authentication for application authentication information, and access to the application database is approved, based on the application access control policy A data access control unit that sets a data access range including at least one of a size of data accessible by an application and an access duration.

  Here, the authentication information generation unit can be linked with at least one application that is connected by a user terminal and performs a specific process.

  Here, the data access control unit works in conjunction with a database management system (DBMS, Database Management System) that manages a database that stores data necessary for execution of a specific process by at least one application. Access can be controlled.

According to the data access control and encryption method and the apparatus for executing the same according to the embodiment of the present invention as described above, the access to the database is controlled according to the application to which the user terminal is connected. Data security can be improved.
Further, by limiting the range of data that can be accessed for each application connected to the user terminal, it is possible to minimize data leakage due to cyber attacks.

FIG. 1 is a flowchart illustrating a data access control and encryption method according to an embodiment of the present invention. FIG. 2 is an exemplary diagram illustrating that application authentication information is generated based on an application access control policy according to an embodiment of the present invention. FIG. 3 is a flowchart for explaining access authentication for a database according to an embodiment of the present invention. FIG. 4 is an exemplary diagram illustrating that an accessible data access range is set for each application according to an embodiment of the present invention. FIG. 5 is a block diagram illustrating a data access control and encryption apparatus according to an embodiment of the present invention.

  While the invention is susceptible to various modifications, and may have various embodiments, specific embodiments are illustrated by way of example in the drawings and will be described in detail. However, this should not be construed as limiting the invention to any particular embodiment, but should be understood to include all modifications, equivalents or alternatives that fall within the spirit and scope of the invention. Like reference numerals have been used for like components in the description of each drawing.

  Terms such as first, second, A, B, etc. may be used to describe various components, but the components are not limited to the terms. The terms are used to distinguish one component from another. For example, the first component can be named as the second component, and similarly, the second component can be named as the first component without departing from the scope of the present invention. The term “and / or” includes any of a plurality of related and described item combinations or a plurality of related and described items.

  When any component is referred to as being “coupled” or “connected” to another component, it may also be directly coupled to or connected to the other component. It should be understood that other components may exist in the middle. On the other hand, when any component is referred to as being “directly connected” or “directly connected” to another component, it must be understood that there is no other component in between .

  The terms used in the present application are merely used to describe particular embodiments, and are not intended to limit the present invention. The singular expression includes the plural unless the context clearly indicates otherwise. In this application, terms such as “comprising” or “having” are intended to indicate that there is a feature, number, step, action, component, part, or combination thereof described in the specification. It should be understood that the existence or additional possibilities of one or more other features or numbers, steps, operations, components, parts or combinations thereof are not excluded in advance.

  Unless defined otherwise, all terms used herein, including technical and scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. have. Terms such as those defined in commonly used dictionaries should be construed as having a meaning consistent with the meaning possessed in the context of the related art, and are ideal unless explicitly defined in the present invention. It is not interpreted as a formal or overly formal meaning.

The terms used in the specification of the present invention are defined as follows.
The user terminal may include a mobile communication terminal such as a smart phone, a tablet personal computer and a PDA (Personal Digital Assistant) operated by the user, a smart home appliance such as a smart TV, an information processing device such as a computer and a laptop computer. However, the present invention is not limited to this, and various devices that can access data located locally or remotely and provide services corresponding to user operations may be included.

  In the user terminal, a large number of applications that provide a user with specific services such as information search, financial transactions, shopping, games, multimedia impressions, telephone calls, and message transmission / reception may be installed.

  The application is a program that performs a specific process on the operating system of the user terminal (Operating System), and is not only a program that is basically installed in the user terminal, but also selectively downloaded as required by the user. An application (app) indicating a mobile application program that can be used by the user may be included.

  At this time, the application accesses a database in which data is stored in order to access data necessary for execution of the process.

  Here, the database is stored not only in a storage device mounted inside the user terminal, but also in an external storage device such as a cloud storage or a server connected to a number of user terminals via a network. Means a set of data managed for the purpose of being shared by.

  In general, the database is encrypted to protect a large amount of data. Therefore, it is possible to manage access to data through a database management system (DBMS, Database Management System) so that the data can be efficiently used by a large number of authorized users.

  At this time, at least one user terminal and database in which a large number of applications are installed are USB (Universal Serial Bus), Bluetooth (registered trademark), Wi-Fi (Wireless Fidelity: registered trademark), 3G (3 Generation). ) And a wired / wireless network such as LTE (Long Term Evolution), and can share data.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.
FIG. 1 is a flowchart illustrating a data access control and encryption method according to an embodiment of the present invention, and FIG. 2 illustrates that application authentication information is generated based on an application access control policy according to an embodiment of the present invention. FIG.

  FIG. 3 is a flowchart for explaining access authentication to a database according to an embodiment of the present invention. FIG. 4 shows that an accessible data access range is set for each application according to an embodiment of the present invention. FIG.

  Referring to FIG. 1, the data access control and encryption method can be performed by the data access control and encryption apparatus.

  Here, the data access control and encryption device may be realized by at least one user terminal equipped with at least one application that performs a specific process and a database that stores data necessary to perform the specific process.

  In addition, it is realized between a user terminal in which at least one application is installed and a database in which a large number of user terminals are connected via a wired and wireless network, and can be linked to the user terminal and the database, respectively, but is not limited thereto. It is not something.

  Generally, a user connects to an application installed in a user terminal and accesses a database. Thus, it is conventionally stored in the database by allowing access to the database only to user terminals that are authorized to access the database and blocking attacker access that induces security incidents such as data corruption or leakage. I've been trying to protect my data.

  However, in the case of such conventional technology, when authentication information used for receiving access authorization to the database is leaked to the outside, the entire data stored in the database can be leaked to the outside. Vulnerable to protection.

  Therefore, the present invention improves the security of the database and data by setting the range of accessible data for each application connected to the user terminal, and at the same time, prevents a large amount of data from being leaked due to a cyber attack. We propose a data access control and encryption method that can be used.

  The data access control and encryption method according to the present invention includes a step of generating application authentication information (S200), a step of performing access authentication to the application database using the application authentication information (S300), and an application accessible. A step of setting a proper data access range (S400).

  In order to generate application authentication information, an application access control policy can be acquired in advance (S100).

  The application access control policy may be preset for each application including at least one of identification information for the application and access information for the database of the application.

  More specifically, the application access control policy can be set by mapping the identification information 21 for the application and the access information 23 for the application database, as shown in FIG.

  Here, the identification information for the application may include a classification system, a classification code, or unique identification information given in advance according to the type and characteristics of the application, but is not limited thereto.

  Further, the access information to the application database includes information on the size of data that can be accessed according to the type and characteristics of the application or time information that can maintain the connection to the database, but is not limited thereto.

  For example, the access control policy for an application that supports group work includes “Groupware” that is identification information given in advance according to the type and characteristics of the application, the size “256 MB” of data that can be accessed by the application that supports group work, and a database. It can be set in advance by mapping the time “40 min” during which the connection to can be maintained.

  As a method similar to this, the access control policy for the application transmitting the message includes the identification information “MessageSend” for the application, the size of the data accessible by the application transmitting the message “84 MB”, and the time for maintaining the connection to the database. It can be set in advance by mapping “2 min”.

  After the application access control policy is acquired, if an access request for the database is received from an application connected by the user terminal, application authentication information can be generated based on the application access control policy (S200).

  For example, as shown in FIG. 2b, the application authentication information 25 includes identification information for the user terminal based on an application access control policy acquired in advance or a connection time when the user terminal tried to connect to the database. Can be generated.

  If the user terminal is connected to an application that supports group work, the application authentication information 25 is an IP that identifies the user terminal connected to the application in the identification information “Groupware” for the application preset by the application access control policy. The address '201.113.39.224' may be generated in a format such as 'groupware_2011.113.39.224_201040201030909', including the connection time '20140201030909' when the user terminal attempted to connect to the database through the application. .

  When the user terminal is connected to an application that transmits a message to another user terminal in this manner, the application authentication information 25 is connected to the application identification information “MessageSend” set in advance by the application access control policy. The identification information “User1” of the user terminal and the identification information “User4” of the user terminal to which the message is transmitted and the connection time '2014406170834' when the user terminal tried to connect to the database through the application are included. Can be generated.

  Here, the generated application authentication information can be encrypted by being combined with the encryption information generated based on the encryption key set in advance.

  More specifically, application authentication is performed by modifying a query by combining application authentication information and encryption information generated based on a preset encryption key at the head of a query requested by a user. Information can be encrypted.

  At this time, an encryption key set in advance is arbitrarily generated by an encryption key or data access control and encryption device used in a standard encryption algorithm such as AES (Advanced Encryption Standard) or RSA (Rivest Shamir Adleman). However, the present invention is not limited to this. The encryption information means a keyed Hash value generated by using an encryption key and a meaningless character array having a specific rule by using an encryption key and a Keyed Hash algorithm, but is not limited thereto.

  Access authentication to the application database can be performed using the encrypted application authentication information (S300).

  At this time, since the database is encrypted, in order to control access of the application to the encrypted database, it is necessary to perform access authentication using the encrypted application authentication information.

  In this manner, as shown in FIG. 3, when encrypted application authentication information is received (S310), decryption information is generated using the encryption key used for encrypting the application authentication information. (S320).

  That is, the decryption information is extracted from the encryption key used for encrypting the application authentication information with the application authentication information received after being encrypted, and then using the extracted encryption key and the Keyed Hash algorithm. The generated keyed hash value can be used.

  In this manner, the encrypted information combined with the encrypted application authentication information is compared with the decrypted information (S330), and it is confirmed whether the encrypted information and the decrypted information match with each other. Approval and denial of access to the database can be determined (S340).

  If the encrypted information and the decrypted information match, the access to the application database is approved (S341). If the encrypted information and the decrypted information do not match, an operation such as an operation or leak of the application authentication information is essential. Therefore, access to the application database can be denied (S343).

  When the access to the application database is approved, a data access range accessible by the application can be set (S400).

As shown in FIG. 4, data “D _ab ” arranged in the form of a two-dimensional array is accessed by “application_1” authorized to access the database, and “application_2” authorized to access the database. If data “D _cd ” arranged in the form of a two-dimensional array is accessed, data access range A and application_2 accessible by “application_1” can be accessed based on a preset application access control policy. Each data access range B is dynamically allocated.

For example, when “application_1” to which the user terminal is connected is an application that supports group work, an application access control policy that is set in advance as shown in FIG. 2a based on “D _ab ” to be accessed by “application_1”. By this, it is possible to set a data access range A that can maintain a connection for 256 minutes to 256 MB size data.

In addition, when the “application_2” connected to the user terminal is an application for transmitting and receiving messages, “D _cd ” to be accessed by the “application_2” is set as a reference as illustrated in FIG. According to the application access control policy, it is possible to set a data access range B that can maintain a connection for 84 minutes for data of 84 MB size.

  Thus, 'application_1' cannot access data outside the data access range A, and 'application_2' cannot access data outside the data access range B.

  Referring to Equation 1, the data leakage rate of the database can be calculated, thereby comparing the data leakage rate due to the cyber attack between the conventional technique and the data access control and encryption method presented in the present invention. it can.

  For example, assuming that the total amount of data stored in the database is 1024 MB, conventionally, if the database is attacked, the entire data 1024 MB stored in the database is leaked to the outside. The outflow rate can be calculated.

  On the other hand, according to the data access control and encryption method presented in the present invention, 'application_1' in which the data access range A is set can access only 256 MB of the entire data in the database. A data outflow rate of 25% can be calculated.

  As described above, the data access control and encryption method presented in the present invention limits the data access range including the size of data that can be accessed for each application connected to the user terminal and the connection duration. It can be confirmed that the outflow can be minimized.

  FIG. 5 is a block diagram illustrating a data access control and encryption apparatus according to an embodiment of the present invention.

  Referring to FIG. 5, the data access control and encryption apparatus 100 may be linked with a user terminal and may include an authentication information generation unit 110 and a data access control unit 120.

  The authentication information generation unit 110 can generate application authentication information based on an application access control policy obtained in advance by receiving an access request for the database from an application connected to the user terminal.

  At this time, the authentication information generation unit 110 can be linked with at least one application that is connected by a user terminal and performs a specific process. At least one application can be installed in the user terminal.

  The authentication information generation unit 110 may include a policy reception module 111, an information generation module 113, and an information encryption module 115.

  The policy reception module 111 can obtain in advance an application access control policy set in advance by a policy setting module 121 of the data access control unit 120 described later.

  The information generation module 113 can generate application authentication information based on an application access control policy by receiving an access request for a database from an application connected to a user terminal.

  For example, the application authentication information can be generated including identification information for the user terminal and a connection time when the user terminal tried to connect to the database based on the application access control policy acquired in advance.

  At this time, if an access request to the database is received from an application connected to the user terminal, the generated application authentication information is recorded as log information, and can be managed as a database access request history of the application. .

  The information encryption module 115 can encrypt the application authentication information by combining it with encryption information generated based on a preset encryption key.

  More specifically, for example, application authentication is performed by modifying a query by combining application authentication information and encryption information generated based on a preset encryption key at the head of a query requested by a user through an application. Information can be encrypted.

  At this time, a preset encryption key is arbitrarily generated by an encryption key or a data access control and encryption device using a standard encryption algorithm such as AES (Advanced Encryption Standard) or RSA (Rivest Shamir Adleman). However, the present invention is not limited to this.

  The encryption information refers to a keyed hash value generated from an application authentication information generated by an encryption key and an array of meaningless characters having a specific rule by using a keyed hash algorithm, but is not limited thereto. .

  In this way, the encrypted application authentication information can be transmitted to the data access control unit 120.

  The data access control unit 120 authenticates the application authentication information and approves access to the application database, so that at least one of the data size and the access duration that can be accessed for each application based on the application access control policy. A data access range including one can be set.

  At this time, the data access control unit 120 can perform database encryption and decryption operations in order to protect a database storing a large number of data.

  In particular, the data access control unit 120 works in conjunction with a database management system that manages a database that stores data necessary for performing a specific process in at least one application. Data requested through the application or information such as the time for which the application maintains connection to the database is recorded as log information, and access to the database can be managed for each application.

  The data access control unit 120 may include a policy setting module 121, an authentication execution module 123, and a data access control module 125.

  The policy setting module 121 may set an application access control policy including at least one of identification information for an application and access information for an application database.

  Here, the identification information for the application includes a classification system, a classification code, or unique identification information given in advance according to the type and characteristics of the application, but is not limited thereto.

  In addition, the access information to the application database includes information on the size of data that can be accessed according to the type and characteristics of the application or time information that can maintain the connection to the database, but is not limited thereto.

  The authentication execution module 123 can perform access authentication for the database by receiving the application authentication information encrypted by the information encryption module 115 of the authentication information generation unit 110.

  More specifically, since the database is encrypted, access authentication can be performed using the encrypted application authentication information in order to control the access of the application to the encrypted database.

  In order to perform access authentication to the application database, decryption information can be generated using an encryption key used for encrypting application authentication information. At this time, the decryption information is obtained by extracting the encryption key used to encrypt the application authentication information from the encrypted application authentication information, and then extracting the extracted encryption key and the Keyed Hash algorithm. It can be a keyed Hash value generated by use.

  In this way, the encrypted information combined with the encrypted application authentication information is compared with the decrypted information, whether or not the encrypted information and the decrypted information match, and the encrypted information and the decrypted information are confirmed. If the information matches, the access to the application database is approved. If the encrypted information and the decryption information do not match, it is suspected that the application authentication information is manipulated or leaked. Access can be denied.

  The data access control module 125 can set a data access range that can be accessed by the application when the access of the application to the database is approved.

  More specifically, the data access range can be dynamically assigned including at least one of a data size accessible by an application and an access duration based on an application access control policy.

  For example, the data access range includes the size of data that can be accessed for each application and the access duration based on the database accessible time set in advance by the organization, social location, or business type to which the user operating the user terminal belongs. The setting may be different, but is not limited to this.

  Here, the authentication information generation unit 110 and the data access control unit 120 have been described as being included in the data access control and encryption apparatus 100. However, the present invention is not limited to this, and the authentication information generation unit 110 is provided with an application. The data access control unit 120 implemented in a user terminal is independently implemented in a database linked with a large number of user terminals, and can prevent a large amount of data from being leaked out of the database.

  The above description has been made with reference to the preferred embodiments of the present invention. However, those skilled in the art will be within the scope of the spirit and scope of the present invention described in the following claims. Thus, it should be understood that various modifications and changes can be made to the present invention.

21 Identification Information for Application 23 Access Information for Database 25 Application Authentication Information 100 Data Access Control and Encryption Device 110 Authentication Information Generation Unit 111 Policy Reception Module 113 Information Generation Module 115 Information Encryption Module 120 Data Access Control Unit 121 Policy Setting Module 123 Authentication execution module 125 Data access control module

Claims (16)

In a data access control and encryption method performed in a data access control and encryption device linked with a user terminal,
Generating application authentication information based on information related to application access control by receiving an access request for a database from an application connected by the user terminal;
Encrypting the application authentication information based on a preset encryption key;
Generating decryption information based on the preset encryption key;
Authorizing access to the database of the application if the encrypted application authentication information matches the decryption information;
A step of setting a data access range including at least one of a size of data accessible by the application and an access duration based on the information related to the application access control by allowing the application to access the database. When,
Including data access control and encryption method. Before generating the application authentication information,
The data access control and encryption method according to claim 1, further comprising obtaining in advance information related to the application access control. Information on the application access control is as follows:
3. The data access control and encryption method according to claim 2, wherein at least one of identification information for the application and access information for the database of the application is set in advance for each application. The data access control and encryption method includes:
If the decoding information and the encrypted application authentication information does not match, and further comprising a reject step access to the database of the application, the data access control and encryption of claim 1 Method. The step of setting the data access range includes:
When the access of the application to the database is approved, a data access range including at least one of a size of data accessible by the application and an access duration is dynamically allocated based on the information related to the application access control. The data access control and encryption method according to claim 4 , wherein: The data access range is
6. The data access control and encryption according to claim 5 , wherein the data access control and encryption are set based on a database accessible time set in advance according to an organization, a social position, or a business type to which a user operating the user terminal belongs. Method. In the data access control and encryption device linked with the user terminal,
When an access request to the database is received from an application connected to the user terminal, application authentication information is generated based on information about application access control acquired in advance, and the application authentication information is set in advance with an encryption key. An authentication information generation unit including an encryption module that performs encryption based on
The decryption information is generated based on the preset encryption key, and when the encrypted application authentication information and the decryption information match, the access of the application to the database is approved, and the database of the application A data access control unit configured to set a data access range including at least one of a size of data accessible by the application and an access duration based on information related to the application access control by allowing access to
Including data access control and encryption device. The authentication information generation unit
8. The data access control and encryption device according to claim 7 , wherein the data access control and encryption device is linked with at least one application connected by the user terminal and performing a specific process. The data access control unit
In conjunction with a database management system (DBMS, Database Management System) that manages a database that stores data necessary for performing a specific process in the at least one application, access of data is controlled for each application, The data access control and encryption apparatus according to claim 8 . The data access control unit
And a policy setting module configured to set information on application access control for each application including at least one of identification information for each of the at least one application and access information for the database of each of the at least one application. The data access control and encryption device according to claim 9 . The authentication information generation unit
11. The data access control and encryption apparatus according to claim 10 , further comprising a policy reception module that obtains in advance information on application access control set by the policy setting module. The authentication information generation unit
An information generation module that generates application authentication information based on information about application access control obtained in advance by receiving an access request for a database from an application connected to the user terminal, The data access control and encryption device according to claim 11 . The data access control unit
Including authentication execution module,
8. The data access control and encryption device according to claim 7 , wherein the authentication execution module generates the decryption information and determines whether to approve access to the database of the application . The authentication execution module includes:
If the decoding information and the encrypted application authentication information does not match, characterized in that it denies access to said database of said application, the data access control and encryption device according to claim 13. The data access control unit
When the access to the database of the application is approved, the data access range including at least one of the size of data accessible by the application and the access duration is dynamically changed using the information on the application access control. 15. The data access control and encryption device according to claim 14 , further comprising a data access control module to be assigned. The data access range is
The data access control and encryption according to claim 15 , wherein the data access control and encryption are set based on a database accessible time set in advance according to an organization, a social position, or a business type to which a user operating the user terminal belongs. Device.